[Samba] Access to sharing by hostname but not by its IP

Rowland Penny rpenny at samba.org
Tue Jul 25 15:39:29 UTC 2017

On Tue, 25 Jul 2017 17:07:58 +0200
Marc-Henri Pamiseux via samba <samba at lists.samba.org> wrote:

> Rowland,
> Thank you for letting me know that the '*' used in the idmap
> configuration concerns the well known Identifiers. I did not know. In
> fact, I thought it was to characterize the identifiers that do not
> belong to the domain cited, a kind of identifier by default. On closer
> inspection, that is how it is used.
> I did not plan to use local Linux identifiers other than system
> identifiers (<1000). This is a Samba migration so there are already
> accounts with identifiers between 1001 and 1072 then between 3000059
> and 3000087. I would like my shares to work before re-uniformizing
> these identifiers and then review the ACLs of the files involved in
> these changes .
> I have remove "password server", "encrypt passwords" and "vfs objects
> = dfs_samba4" from /etc/samba/smb.conf;
> default idmap config range is now from 850 to 999.
> As Louis van Belle explain, "If the Kerberos protocol is not
> negotiated for some reason, Active Directory uses LM, NTLM, or NTLM
> version 2 (NTLMv2). And in this case, windows fals back to NTLM and
> then you accessing the server as user guest".
> The proposed GPO (Network security: LAN Manager Authentication Level
> setting to Send NTLMv2 responses only) was already setup.
> By the way, i was ignoring this process. Cool :)
> Since I switched to winbind, I no longer get the value of the ids
> stored in Active Directory.
> The getent command no longer add the domain's short name as a prefixe
> for user accounts. What were the options for this display?
> On the RHEA file server, I stopped winbind, smbd and nmbd and then
> deleted the files:
> /var/lib/samba/{winbindd_cache.tdb,winbindd_idmap.tdb}.
> I have restart all these services. nothing better.
> An idea ?

If you use the winbind 'ad' backend, then any user you want to be
visible to Unix, must have a uidNumber attribute containing a number
inside the 'DOMAIN' range set in smb.conf. 

The users Unix primary group must also have a gidNumber attribute
containing a number inside the same range. 

Before Samba 4.6.0 this meant that 'Domain Users' must have a
gidNumber, From 4.6.0 this changes. You now need to give your users a
gidNumber containing the Unix ID number of a group and the group would
have to have a gidNumber attribute containing the same number. 

For instance, if you have a group in AD called 'unixgroup' and this
group has a gidnumber attribute containing the ID '10000', then to make
this group your users Unix primary group, you would add 'gidNumber:
10000' to the users AD objects. You would also need to add a line to

idmap config SAMDOM:unix_primary_group = yes

If you do not have the above line in smb.conf, then, as far as I
understand, it still works in the same way as earlier versions i.e.
Domain Users needs a gidNumber.

If everything else is setup correctly, 'getent passwd username' should
show the users info and until it does, your user is unknown to Unix.


More information about the samba mailing list